DPO DPO Israel
Open as Markdown

Personal Data Mapping
Foundation for everything.

Professional data mapping: discovery of every personal-data asset, field/system documentation, database definition documents per 2017 Security Regulations, RoPA tables per GDPR Article 30, sensitivity classification, and vendor mapping. Without mapping — no real gap analysis, no Authority registration, no data-subject request handling, no security framework. With good mapping — everything is possible.

Process

Six stages — one database or two hundred

01

Discovery

Interviews with every department. System and vendor lists, forms, spreadsheets. Discovery of "shadow databases" (Shadow IT, OneDrive Excels).

02

RoPA documentation

Records of Processing Activities table per GDPR Article 30 — purpose, legal basis, data types, subjects, recipients, retention, security.

03

Database definition document

For each relevant database — a document per the 2017 Security Regulations. Owner, security manager, security level, access controls.

04

Sensitivity classification

Basic data, special-category data (Section 7), medical data, data on minors. Each classification triggers a corresponding security level.

05

Data-flow mapping

Who receives the data? Where does it flow? Which vendors touch it? Cross-border transfers? Visualized in a flow diagram.

06

Authority registration integration

When registration with the Authority is required — we perform it, including the registration fee (organization cost).

Deliverables

What stays with you

RoPA table

Excel/Sheets with 12-15 columns per database. Standard format that works for both Amendment 13 and GDPR.

Database definition document

Separate document per relevant database, per 2017 Security Regulations. Required by owner and security manager.

Data-flow diagram

Who receives what, from whom, when. Visual — easy for non-technical management to understand.

Vendor matrix

Every vendor and which databases they touch. Foundation for vendor privacy.

Data-subject rights matrix

Where to find information when an access/correction/deletion request arrives. Saves hours on every request.

Gap list

Databases without documentation, missing critical fields. Feeds the gap analysis.

Frequent questions about data mapping

How long does mapping take?
Depends on size. Small org (5-10 systems) — 3-4 weeks. Mid-size (20-50 systems) — 6-8 weeks. Large with 100+ systems or municipality — 10-14 weeks.

Difference from gap analysis?
Mapping describes what exists. Gap analysis compares to legal requirements. Mapping is the foundation. No real gap analysis is possible without mapping.

We already have an Authority registration — is that enough?
Good signal of awareness. But typically the registration is limited (3-5 databases) and doesn’t reflect the full organization. We produce a more complete mapping, and update Authority registration if needed.

Does mapping include field-level analysis?
Yes. We document the most sensitive fields per database — IDs, credit cards, medical data, data on minors. These drive required security levels and DPO obligation.

Who do you need from us?
One contact per department — manager, secretary, or "the person who knows the systems best". We lead, interview, document. Not your job to write the RoPA — that’s ours.

When should we map?
If you don’t have current database definition documents — now. If documents are from 2019 or earlier — now (Amendment 13 changed things). If the org went through restructuring, acquisition, or new system in the last 12 months — now.

Ready to know what you actually have?

Professional mapping, fully documented, yours to keep.

Book a call